Worldcoin, a proof of humanity protocol, recently released its audit reports conducted by security consulting firms Nethermind and Least Authority. These reports come at a time when criticism of Worldcoin’s data collection practices continues to mount. In this article, we will delve into the findings of the audit reports and explore the implications for the project.
Worldcoin gained significant attention in 2021 when it announced its plan to distribute free tokens to users who verified their humanness. This verification process involved scanning users’ irises using a device called the “Orb.” The project’s co-founder, Sam Altman, argued that this was necessary to combat the rising threat of AI bots on the internet. However, concerns about privacy arose as users questioned the storage and use of their iris scans.
Nethermind’s audit uncovered 26 security issues with the Worldcoin protocol. Fortunately, 24 of these issues were identified and fixed during the verification phase. One issue was successfully mitigated, while another was acknowledged, but remained unresolved. Least Authority, on the other hand, discovered three issues and provided six suggestions for improvement. Worldcoin claims to have resolved or planned resolutions for all of these suggestions.
Soon after its public launch, Worldcoin faced intense criticism from various angles. The United Kingdom’s Information Commissioner’s Office (ICO) raised concerns about potential violations of data protection laws, leading to the possibility of an investigation. The French data protection agency CNIL also questioned the legality of Worldcoin’s operations. These challenges raised doubts about the project’s future and its compliance with privacy regulations.
The launch of Worldcoin created a division within the crypto community. Some participants viewed it as a sinister step towards a dystopian future, where privacy is sacrificed for the sake of security. On the other hand, some individuals saw the project as a necessary defense mechanism against the growing threat of malicious AI bots. This divide highlighted the ethical and philosophical questions surrounding Worldcoin’s mission.
The audit reports cover a broad range of security topics, including resistance to DDoS attacks, implementation errors, key storage and management, encryption and signing of keys, data leaking, and information integrity. It was revealed that some of the identified issues were a result of dependencies on Semaphore and Ethereum, such as elliptic curve precompile support and Poseidon hash function configuration. The majority of these issues were successfully addressed, mitigated, or have planned fixes.
Worldcoin’s audit reports shed light on the security vulnerabilities and potential privacy concerns surrounding the project. While significant progress has been made in addressing these issues, there is still work to be done to alleviate the doubts raised by critics. As the project moves forward, it will need to navigate the complicated landscape of data protection laws and gain public trust to succeed in its mission to verify humanness securely.